I was tricked on Facebook into downloading an obfuscated script | Better HN

73 comments

24 comments · 6 top-level

Aelinsaar10y ago· 12 in thread

I treat any attempt to download like an attempt to call my phone, or ring my doorbell when I'm not expecting someone. Instant suspicion which is, 99% of the time, unfounded. Still, I've never had to deal with the Jehovah's Witnesses.

a3n10y ago

I engage Jehovah's Witnesses, but not in the dick way that capital A Atheists might (I'm a small a atheist). I try to learn what they're about. They're generally nice people.

newjersey10y ago

Yes. I have so much appreciation for their contributions to civil liberties. Yes, we should have a right to not say the pledge of allegiance. No, I won't exercise that right but it is seriously stupid to say we have a "right" to do something if we don't have a right to not do it.

If we have to get up and pray, we do not have freedom to pray. People who refuse to stand up to pray at the beginning of a rodeo are people we have to be grateful for.

uxp10y ago

The house I bought last year came with a cheesy "No Solicitation" sign stuck to the screen door near the handle. I've wanted to remove it, but laziness and the fact that it has some utility has kept it in place.

Oddly, Jehovah's Witnesses have been the only people to ignore it. I've watched Mormons walk up and turn away, though.

wglb10y ago

Maybe consider checking this out: https://www.amazon.com/Years-Watchtower-Slave-Confessions-Co...

cbd198410y ago

If you're going to make a distinction, make it between individuals, not groups. Grouping people is harmful and breeds stereotypes.

anonbanker10y ago

Or, invite them in, and (politely) try to pitch a conversion to atheism. I usually get sooo close, then you see that programming snap back into place (you'll see their expression change to one of terror), and they suddenly have to leave really fast.

Mormons are more fun for this, but Jehovah's Witnesses are a laugh riot.

cbd198410y ago

Atheists are atheists. If you're going to make a distinction, make it between individuals, not groups.

ldehaan10y ago

what do you hope to gain by talking to them?

I'm assuming that by capital A, versus lowercase a; atheists, you are trying to underscore the differences between people who understand that religion is a hoax but it doesn't affect me right now so I'll let it pass, and those who have been directly affected by religion and it's evils and see no other way but to fight it as hard as they push it?

I will try to explain why this is bad: engaging the mentally ill in their delusions is not only mean (you don't believe their crazy stories, so why listen to them?) it's bad for society as a whole, because this is a untreated mental illness that is totally treatable and it's being spread because people refuse to treat it as a mental illness and instead say, believe what you want.

why is it bad to allow the masses to remain ignorant?

you (hopefully) wouldn't teach your children that the world is flat, because you were educated against such teachings.

you wouldn't teach a medical student about the human body without allowing them to learn about the human body by cutting it open and studying it.

you wouldn't let your neighbor spray your yard with ddt (hopefully) because a higher being told him it was safe.

you wouldn't take advice from someone on the Internet without first researching the topic (we all do)

yet we'll freely entertain the insanity of religion because why? so many people believe it?

we all thought the world was flat, the human body was designed by God and shouldn't be examined, sprayed ddt right in our children's faces, and still take advice from strangers on the Internet without doing research because, we're sheep (hanlons razor).

it's all stupidity, and fear. we're all alone, there is no guidebook and we're so painfully self aware.

when you have No explanation, any explanation seems possible.

the world is not flat, but knowing we knew, was comforting.

anyways, what was I trying to get at?

don't let them in. keep them very far away from you.

if you want to help change the world, be proactive. openly challenge religious beliefs any time they are presented. it could get you killed. it will get you beaten.

but we all have a duty to further the human species, and putting us second to imaginary beings is not exactly the way to go about it IMO.

ht8510y ago

I'm always curious about how people react to unwanted solicitation.

When it happens to me, as soon as I realize I say "sorry" and close the door.

When my door rings unexpectedly, I'm more worried it might be someone I know, as I'm usually in the middle of my work day, as in hacking stuff in my underwear.

mathattack10y ago

For whatever reason, in my most current job, unwanted phone calls and email solicitations have gone up 20X. With phone calls I give a polite "not interested" and if there is anything other than "I'm sorry" I hang up mid-sentence. It took me a while to be this direct, but they have no right to waste my time.

With email I used to politely say, "I'm not interested" to the spammer's email. (I've been on the other side, and it's tough work) Then I realized that it's just feeding the beast, so I usually ignore and mark as spam.

pavel_lishin10y ago

This has only happened to me in apartment buildings; it's either some proselytizers, or people pretending to work for Con-Ed trying to scam me out of money. Either way they're trespassing, and in the latter case actively trying to harm me.

The last time this happened, I technically wasn't on the lease, so my wife discouraged me from following them around the building, introducing myself to the neighbors and breaking their spiel.

kalleboo10y ago

I simply don't answer. We have a video intercom though so I can see on a screen if it's a courier or something.

my_first_acct10y ago· 3 in thread

Maybe the wrong place for a newbie question, but here goes.

IF I am running up-to-date versions of Windows and Chrome, and I click on this link, is it game over? Or do I get another chance to refuse installation of whatever malware is in the payload?

thefreeman10y ago

You have to double click the downloaded file to execute it under Windows Script Host

my_first_acct10y ago

Thanks. That is somewhat reassuring. The likelihood of my doing something stupid/oblivious is higher than it should be, but the likelihood of being stupid twice in a row is quite a bit lower.

alexchantavy10y ago

And then if you have UAC (or whatever it's called) turned on, you'll get a warning that the .exe you're about to run is unsigned, right?

vanderZwan10y ago· 2 in thread

> Facebook tricked me into downloading an obfuscated script

This title suggests Facebook is doing this, even though it's clearly a malware exploit

dang10y ago

That was a badly rewritten title, and we've restored the original. (Edit: never mind–the rewrite was at the host end.)

Submitters: please use the original title unless it is misleading or linkbait. That's in the site guidelines (https://news.ycombinator.com/newsguidelines.html). Making a title more misleading and linkbait is the wrong direction!

(Submitted title was 'Facebook tricked me into downloading an obfuscated script'.)

m-app10y ago

To be honest, the original title used to be just that: http://security.stackexchange.com/posts/128254/revisions

x0ner10y ago· 1 in thread

* Disclosure: I used to work for Facebook's security team and focused on threats that impacted users on the platform. *

The post outlines in some detail a common attack done by some actors known as BePush/Killim. I made a request for help in fighting these clowns months ago on a private security working group. Here's the post below which outlines a good amount of detail about the hacks and motives. If you are interested in tracking these actors yourself, it's pretty easy once you find one of their command and control servers.

Example: https://www.passivetotal.org/passive/userexperiencestatics.n...

From there, we can see the actors are using Cloudflare to obfuscate their infrastructure, but we can make a pivot based on the WhosAmongUs IDs (dsafagegg2 [1] and dsafagegg [2]) in order to find more websites owned by these guys. It's a rats nest that extends to hundreds of domains registered weekly. Servers are typically hosted in places where legal action is difficult meaning the attacks seldom stop or go down completely.

  [1] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg2
  [2] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg

-----------------------------------------------

As promised, below is a quick high-level summary of the malware outlined in the subject. We've been dealing with the malware for months and while some would call is spam, we consider it malware simply because any of the executables or Chrome extensions could be changed to steal passwords, credit cards or every document off a system. We welcome any help in dealing with these actors and would also be interested in new ways to combat malicious extensions, both Chrome and Firefox as those are only increasing in usage.

If you would like more information on the technical details of the binaries, extensions or other loaders, feel free to shoot me a message. If there's enough interest, I will just spam the list, but would prefer to keep this to the higher level points, so others gain a better understanding of the threat.

-= Summary =-

BePush is a set of Turkish-based actors who use innovative techniques to spread malicious code and spam through social networking sites and ad-based networks. Those involved in the development of BePush malware are constantly adjusting their TTPs to account for changes in detection or disruption. Actors favor multiple levels of obfuscation through the use of short-url redirectors, third-party hosting providers and multi-stage payloads. Despite high infection rates, local law enforcement has yet to take an interest in pursuing those actors involved.

-= Infection Process =-

Based on our logs, primary infection processes tend to occur through direct traffic, followed by Facebook and various ad providers. Shortened URL links are shared among users which typically traverse through a series of redirects to a landing page mimicking Facebook infrastructure and using porn as a lure to install a plug-in. Depending on the attacker behavior, payloads may be delivered in the form of a Google Chrome extension (hosted within the store) or through an executable (likely AutoHotkey, but could be Pyinstaller based) that later replaces Chrome with a version of Chromium with their malicious extension.

Once installed, malicious code will make use of the Facebook Graph API in order to make requests/posts on behalf of the infected user using a stolen access token. In order to establish a high infection count, the malicious code will often create pages with malicious links, post statuses/comments to the user's friends and spam within certain application pages. Once the spreading routine completes, the process generally begins again with the infected user's friends.

-= Motives and Capabilities =-

It appears the primary motivation for the BePush actors is the money gained through the sale of Facebook likes, followers or various ad-network and affiliate partners. In some cases, Facebook observed BePush actors including a bundled bitcoin miner, but it never appeared to gain much popularity.

From a capabilities perspective, actors involved with BePush appear to pay attention to how their code is detected. When numbers begin to dwindle, changes to the code or 3rd-party providers are made. Actors demonstrate a level of understanding in .Net programming, Python, JavaScript and techniques used to detect spam. We have also observed the actors repurposing browser exploits, but we never saw these used against users.

-= Third-Party Provider Usage =-

BePush favors the use of free and open infrastructure in order to keep their campaigns alive long enough to get a strong infection foothold. The following providers have been observed in some capacity:

  - Amazon AWS - Used for hosting content
  - Dropbox - Used to host binaries
  - Box.com (http://box.com/) - Used to host binaries
  - Bitly - Used for redirection
  - Tinyurl - Used for redirection
  - Godaddy - Used for redirection
  - WhosAmungUs - Used for campaign tracking
  - Stellar - Used for bitcoin wallet hosting
  - Imgur - Used for redirection 
  - Dot.tk - Used for redirection
  - Google - Used for redirection, Chrome extensions and binary hosting
  - CloudFlare - Used to obfuscate real infrastructure
  - Microsoft Azure - Used to host binaries

-= Detection and Research =-

BePush has a limited set of providers they prefer to use and through industry relationships, we have been able to put pressure on the attackers. Here are a couple items we noticed when doing disruption work that helped in making a larger impact against the group.

Using passive DNS data to identify other domains sitting on the same IP address (these guys don't use a lot of unique servers) Use ESET (Facebook) or Microsoft (Kilim) AV signatures to identify new binaries being used Polling whos.amung.us (http://whos.amung.us/) tracking pixels in order to identify/gauge recent campaigns Reaching out to 3rd-parties with domain and hash combination for takedown

-= Reference Hashes and Domains =-

  www[.]filmgetir[.]com

  https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/

  www[.]kingtr[.]click

  https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/
  www[.]pornokan[.]com

  https://www.virustotal.com/en/file/c5eeef4da2c64e8633b1f00745fecb0b692be27d4b615df086201754b07ebe60/analysis/
  https://www.virustotal.com/en/file/3566452da48ba0fa31b11deae561b4d5f2a1385e83fd5537a021e75b649664b6/analysis/
  https://www.virustotal.com/en/file/1a0163780f07aeaafd9e94fbe628b3f354b25afbec1f7c6e6e401cc7c06d909a/analysis/
  https://www.virustotal.com/en/file/b216915643628834acd60e7ae9647e51baca636d8b05ea66857d40c9d04172a8/analysis/
  https://www.virustotal.com/en/file/80d9d1df0d859fe6759bba7077be1a15eea477774c91e789e9d5988f19f0a023/analysis/
  https://www.virustotal.com/en/file/940bc772a2e301e15a326e667a318942dd840149afa4031245dd125c645330ab/analysis/

0xICECREAM10y ago

Thanks for the info. Technically speaking, posting a link on Facebook and tagging a friend to it seems impossible, unless some manipulation or a flaw was presented. Can you confirm or not that Facebook is somehow vulnerable to tagging to links (not posts)

Kiro10y ago

> I got a notification on Facebook: "(a friend of mine) mentioned you in a comment". However, when I clicked it, Firefox tried to download the following file:

I interpret that as it started downloading when clicking the notification but the picked answer suggests otherwise.

paulpauper10y ago

They must have gotten a TON of downloads..look at the sats:

http://whos.amung.us/stats/pingjse3462 http://whos.amung.us/stats/pingjse346

j / k navigate · click thread line to collapse